Vulnerabilities / Threats

12/22/2016
01:40 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Inside The Vulnerability Disclosure Ecosystem

Report released by NTIA stakeholders offers new information on how organizations respond to security vulnerabilities - and what researchers think.
Previous
1 of 7
Next

Image Source: Pixabay

Image Source: Pixabay

A new National Telecommunications and Information Administration (NTIA)-led study of how security researchers and software vendors handle and view vulnerability disclosure provides rare insight into both sides of the equation.

NTIA formed a team of stakeholders from the software industry, security researchers, and industry at large to study how the various players could build a higher level of trust when it comes to disclosing vulnerability information.

“Having more disclosure won’t solve all our security challenges,” says Allan Friedman, director of cybersecurity initiatives at the NTIA. “But it will build a more collaborative environment where organizations can respond to and have good relationships with [stakeholders] in the security field.”

One of the three working groups formed by the NTIA conducted two surveys, one of security researchers and another of software vendors. The researchers survey received 414 responses, and the software vendor study received 285.

On the plus side, 92% of security researchers surveyed say they participate in some form of security disclosure, but 60% say threat of legal action could potentially deter them from working with a vendor to disclose a vulnerability  

And while 76% of vendors say they look internally to develop vulnerability handling procedures, only one in three require third parties to develop their own vulnerability handling procedures.  

“Cleary there needs to be more work done in working with third parties,” says Friedman. “Especially when so many of the high-profile breaches involved third parties.”

NTIA published three papers from the study, and here are some key takeaways:  

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Previous
1 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15607
PUBLISHED: 2018-08-21
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote atta...
CVE-2018-14795
PUBLISHED: 2018-08-21
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable due to improper path validation which may allow an attacker to replace executable files.
CVE-2018-6692
PUBLISHED: 2018-08-21
Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post packet.
CVE-2018-14793
PUBLISHED: 2018-08-21
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable to a buffer overflow exploit through an open communication port to allow arbitrary code execution.
CVE-2017-17305
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher R...